NAME¶
pam_alreadyloggedin —
Already-logged-in
PAM module
SYNOPSIS¶
[
service-name]
module-type control-flag
pam_alreadyloggedin
[
options]
DESCRIPTION¶
The Already-logged-in authentication service module for PAM,
pam_alreadyloggedin provides functionality for only one PAM
category: authentication. In terms of the
module-type
parameter, this is the “
auth
” feature. It
also provides null functions for other PAM categories.
Already-logged-in
Authentication Module¶
The Already-logged-in authentication component
(
pam_sm_authenticate()), returns success if and only if the
target user's ID is identical to a current login specified in the
utmp(5) database and verified with matching permissions on
that login's respective terminal in
/dev. If a user shows up
in
w(8) output, they will generally be allowed to
authenticate using this method.
The following options may be passed to the authentication module:
- debug
- Enable verbose output to syslog at LOG_DEBUG level.
- no_debug
- Disable verbose output to syslog even it's enabled at
compile time.
- no_root
- Never allow login with a target user ID of zero.
- restrict_tty=ttyglob*
- Only allow login if the terminal device currently being
authenticated on matches ttyglob*. The
ttyglob* argument is specified as a shell glob, and
checked using the fnmatch(3) function. For example,
restrict_tty=/dev/tty[1-6] allows logging from text
consoles of physical terminal only.
- restrict_loggedin_tty=ttyglob*
- Disallow recognition that the user is already logged in
unless the terminal device logged in upon matches
ttyglob*.
EXAMPLE¶
Modify
auth section of the
/etc/pam.d/login
file like following:
auth required /lib/security/pam_securetty.so
auth sufficient /lib/security/pam_alreadyloggedin.so no_root
auth required /lib/security/pam_stack.so service=system-auth
BUGS¶
FreeBSD version expects
/dev/ prefix in
restrict_tty value, but value of
restrict_loggedin_tty should be without them. Linux version
expects
/dev/ in both cases.
SEE ALSO¶
fnmatch(3),
getuid(2),
stat(2),
utmp(5),
w(8),
pam.conf(5),
pam(8)
AUTHORS¶
Adopted for Linux PAM by Ilya Evseev at Jan 2004.
The original
pam_alreadyloggedin module and this manual page
were developed for the FreeBSD Project by NAI Labs and ThinkSec AS, the
Security Research Division of Network Associates, Inc. under DARPA/SPAWAR
contract N66001-01-C-8035 (“CBOSS”), as part of the DARPA CHATS
research program.